Matthew McPherrin

@[email protected]
419 Followers
309 Following
348 Posts
SRE at Let's Encrypt, though these toots are my own.
Matthew McPherrinJan 27
⁡snow  Jan 26
new tech warcrime

ppl always complain that the clock on my microwave never shows the right time bcs i cant be assed to set it manually

so now i have an unfuck-microwave.sh cronjob which briefly kills its power every day at midnight
Show threadMatthew McPherrinJun 16, 2025
It looks like some of this data is incorrect due to a Firefox bug, which I've filed as https://bugzilla.mozilla.org/show_bug.cgi?id=1972339
1972339 - cert.validation_success_by_ca bin collision between CAs and unknown entries in RootCertificateTelemetryUtils.h

NEW (nobody) in Core - Security: PSM. Last updated 2025-06-16.

Matthew McPherrinJun 16, 2025
@cybeej Internet Security Research Group is the name of the organization that runs Let's Encrypt (ie, in #3 position)
Matthew McPherrinJun 14, 2025
Firefox's telemetry has data on how many times a CA is used to successfully validate certificates. This is a pretty good measure for how "big" a CA is. The data is hard to view in Mozilla's site, so I've made a script to combine a few data sources and graph it! https://github.com/mcpherrinm/cert-count
Matthew McPherrinJun 10, 2025

Inspired by the classic xeyes program, I made a thing:

ssh teyes.fly.dev

Or go install github.com/mcpherrinm/teyes@latest && teyes

Give your mouse a wiggle over the terminal!

Matthew McPherrinMay 14, 2025

I'll be speaking at the Ontario Cryptography Day!

https://ontario-crypto-day.github.io/

Where: University of Waterloo Davis Centre (DC) 1301 and 1302
When: Friday, June 6, 2025, from 10am to approx. 4:30pm

I hope anyone in the area interested in cryptography is able to attend. It's a free event, but registration is required.

Ontario Cryptography Day

June 6, 2025 • University of Waterloo

Ontario Cryptography Day
Show threadMatthew McPherrinApr 21, 2025

@rsalz interesting that the criteria is in ALL root stores, which might be an issue in some cases as root stores evolved.

Eg, a new CA that's trusted directly in Chrome, with a cross-sign from an old CA. Perhaps Chrome only trusts the new CA, and some other program like Microsoft (who aren't taking new roots right now) only supports the old CA providing the cross-sign.

A certificate chain with the cross-sign will work with both programs, but Akamai's policy here seems like it may exclude said CA.

Show threadMatthew McPherrinApr 2, 2025
@MichaelPorter GPS receivers in datacenters provide an accurate source of time, which is how basically everyone sets their clock now. It's how your phone and computer know the time, though maybe one or two steps away from GPS.
Matthew McPherrinApr 1, 2025
Of all the things I didn’t expect to ever happen, iOS Safari actually got a certificate viewer in 18.4! https://webkit.org/blog/16574/webkit-features-in-safari-18-4/#connection-security
WebKit Features in Safari 18.4

Safari 18.4 is here!

WebKit
Matthew McPherrinFeb 20, 2025
We've issued our first short-lived (6 day) certificate! https://letsencrypt.org/2025/02/20/first-short-lived-cert-issued/
We Issued Our First Six Day Cert

Earlier this year we announced our intention to introduce short-lived certificates with lifetimes of six days as an option for our subscribers. Yesterday we issued our first short-lived certificate. You can see the certificate at the bottom of our post, or here thanks to Certificate Transparency logs. We issued it to ourselves and then immediately revoked it so we can observe the certificate’s whole lifecycle. This is the first step towards making short-lived certificates available to all subscribers.